sony infinite loop vulnerability leads to DOS

Hi fellas,
this time i thought to look for vulnerabilities in sony.

Before we start lets know about what is "Infinite Loop Vulnerability"?

Infinite Loop Vulnerability has its CWE-835 in cwe knowledge base

This weakness describes a case when a loop cannot reach an exit condition.

This weakness describe a logic eror within application, which results in an endless loop.
The weakness occurs where an application contains iteration or loop with exit conditions that cannot be reached.
The following example in c++ demonstrates the endless loop:
----------------------------------------------------------------------------------------------------------
//Infinite loop[CWE-385] vulnerable code example
//(c) HTB Research

#include "StdAfx.h"
#include <stdio.h>
int main(int argc, char**argv[]) {
  int i = 0;
while (i < 10){
  if(i == 5){
    printf("i equals 5\n");
}
 else {
 i++;
  }
 }
 return 0;
}
------------------------------------------------------------------------------------------------------------
The above example contains a logic error. If  the condition "i==5" is true then the program outputs a string "i equals 5", otherwise it will increment "i" by 1.However,  when "i" equals to 5 it is true for any future iterations and this is where infinite loop occurs.

So whats the Impact?
An attacker can make application consume all avaliable, CPU and Memory Resources, disk space, cause application hand or system crash or we can say Denial of Service.

severity:
Medium

What is it?
Logical error

Now

so i used started finding subdomains using knockpy and dnsdumpster
and i found may SubDomains and one of them was "rewards.sony.com"

so i quickly signed up for and logged in and i started bruteforcing directories and came across error
 like this

 /elements/error404/?aspxerrorpath=<filename>.html

so i quickly did quick source code review but doesn't seems to have any idea as i did infact skipped a couple of things in the source code .

so i ran sniper tool and came across something like this
/elements/error404/?aspxerrorpath=/?.jsp">here</a>

we can ignore ">here</a> .. its nothing
so i copied and pasted it in the url like

https://sonyrewards.com/elements/error404/?aspxerrorpath=/?.jsp">here</a>

and its started redirecting
and i got infinite loop redirection , which keeps redirecting me but never reaches its destination point.



so the reason behind why this happened is may be .
the webapp confused by /?.jsp
as error path tried to locate a file with ?.jsp as the point it doesn't exist and which makes it keeps redirecting.

this is what as far as i think of

so i reported it to Sony and they replied back saying they reviewed it found it genuine and they said its a best practice recomendation.
which seems legit as its a bad implementation.

References
http://cwe.mitre.org/data/definitions/835.html

#i think many ASP .net based websites are vulnerable to infinite loop vulnerability /DOS

Thank you for reading
enjoy :-)

Comments

Post a Comment

Popular Posts